US2009076965A1PendingUtilityA1

Counteracting random guess attacks against human interactive proofs with token buckets

46
Assignee: MICROSOFT CORPPriority: Sep 17, 2007Filed: Sep 17, 2007Published: Mar 19, 2009
Est. expirySep 17, 2027(~1.2 yrs left)· nominal 20-yr term from priority
H04L 63/1441G06F 21/36H04L 63/1491G06F 2221/2133
46
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method that facilitates and effectuates distinguishing a human from a non-human user. A human interactive proof (HIP) employs a token bucket algorithm in order to reduce the success rate for a non-human user employing a guessing or artificial intelligence to solve a substantial number of HIP challenges. The algorithm can employ token buckets associated with IP address and user session from which the user is attempting to solve the HIP challenge. If a token bucket is empty the algorithm can treat a correct response as incorrect and refill a portion of the buckets for a further attempt. This forces two correct responses to be received by a user within the refill quantity for the users bucket(s) before the user is identified as human.

Claims

exact text as granted — not AI-modified
1 . A system for distinguishing between a human and non-human user, comprising:
 a human interactive proof (HIP) challenge component that displays a HIP challenge to a user,   HIP determination component that determines if the user is a human or non-human based upon a response to the challenge provided by the user, wherein the HIP determination component employs at least one token bucket associated with the user in making the determination.   
   
   
       2 . The system of  claim 1 , wherein the token bucket is associated with an IP address from which the user is attempting to solve the challenge and the IP address token bucket is initialized to a predetermined initial value. 
   
   
       3 . The system of  claim 2 , wherein a user session token bucket is associated with a user session from which the user is attempting to solve the challenge and the user session token bucket is initialized to a current value of the IP address token bucket. 
   
   
       4 . The system of  claim 3 , wherein the HIP determination component subtracts at least one token from the IP address token bucket upon creation of a user session. 
   
   
       5 . The system of  claim 4 , wherein the HIP determination component subtracts at least one token from the IP address token bucket and subtracts one token from the user session token bucket upon the user submitting a response to the challenge. 
   
   
       6 . The system of  claim 5 , wherein the HIP determination component determines the user is non human if the token bucket is empty. 
   
   
       7 . The system of  claim 5 , wherein the HIP determination component determines that the user is non human or human based upon the response submitted by the user if the token bucket is not empty. 
   
   
       8 . The system of  claim 7 , wherein the HIP determination component refills the IP address token bucket and user session token bucket by a predetermined refill value if the user response is correct. 
   
   
       9 . The system of  claim 1 , wherein the HIP determination component initializes the token bucket to a predetermined initial value. 
   
   
       10 . The system of  claim 9 , wherein the HIP determination component subtracts at least one token from the token bucket upon the user submitting a response to the challenge. 
   
   
       11 . The system of  claim 10 , wherein the HIP determination component determines the user is non human if the token bucket is empty. 
   
   
       12 . The system of  claim 10 , wherein the HIP determination component determines that the user is non human or human based upon the response submitted by the user if the token bucket is not empty. 
   
   
       13 . The system of  claim 12 , wherein the HIP determination component refills the token bucket by a predetermined refill value if the user response is correct. 
   
   
       14 . A method for distinguishing between a human and non-human user, comprising:
 displaying a HIP challenge to a user; and   determining if the user is a human or non-human based upon a response to the challenge provided by the user, wherein at least one token bucket associated with the user is employed in making the determination.   
   
   
       15 . The method of  claim 14 , further comprising:
 associating an IP address token bucket to the user that is associated with an IP address from which the user is attempting to solve the challenge;   initializing the IP address token bucket to a predetermined initial value;   associating a user session token bucket to the user that is associated with a user session from which the user is attempting to solve the challenge; and   initializing the user session token bucket to a current value of the IP address token bucket.   
   
   
       16 . The method of  claim 15 , subtracting at least one token from the IP address token bucket upon creation of a user session. 
   
   
       17 . The method of  claim 16 , subtracting at least one token from the IP address token bucket and subtracting one token from the user session token bucket upon the user submitting a response to the challenge. 
   
   
       18 . The method of  claim 17 , further comprising:
 determining that the user is non human if the token bucket is empty; and   determining that the user non human or human based upon the response submitted by the user if the token bucket is not empty.   
   
   
       19 . The method of  claim 18 , refilling the IP address token bucket and user session token bucket by a predetermined refill value if the user response is correct. 
   
   
       20 . A system for distinguishing between a human and non-human user, comprising:
 means for displaying a HIP challenge to a user; and   means for determining if the user is a human or non-human based upon a response to the challenge provided by the user, wherein at least one token bucket associated with the user is employed in making the determination.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.